build/build-image.sh

@@ -31,7 +31,7 @@ if [  "$SECURESYS" == "true"  ]; then echo "Intact"
 else echo "Degraded"; fi
 echo "================================"
 
-#set -x
+set -x
 
 export DISTPATH=$DISTPATH
 mkdir -p "$DISTPATH"
@@ -44,8 +44,6 @@ eselect profile set default/linux/amd64/23.0/musl/hardened/selinux
 # STOP TELLING ME ABOUT THE NEWS
 eselect news read new > /dev/null
 
-#id -nu 250 | tee > /build/artifacts/test
-
 # Copy in host configs
 cp -r /build/include-host/* /
 
@@ -56,9 +54,9 @@ cp -r /build/include-host/* /
 
 # We have to ensure use.disable contains at least one flag
 # Otherwise euse -D will disable all global use flags
-#if [[ "$(cat /etc/portage/use.disable)" = *[![:space:]]* ]]; then
-#    euse -D "$(cat /etc/portage/use.disable)"
-#fi
+if [[ "$(cat /etc/portage/use.disable)" = *[![:space:]]* ]]; then
+    euse -D "$(cat /etc/portage/use.disable)"
+fi
 
 # Set install location
 export ROOT="$DISTPATH"
@@ -67,9 +65,9 @@ export ROOT="$DISTPATH"
 #emerge -j "$NPROC" --quiet --update --deep --newuse @world
 
 # Emerge all packages
-#emerge -j "$NPROC" --quiet --autounmask=y --autounmask-write --noreplace @halogenos-image
-#emerge -j "$NPROC" --quiet --update --deep --noreplace @world
-emerge -j "$NPROC" --quiet --autounmask=y --autounmask-write =sys-kernel/gentoo-kernel-6.15.4 | tee /build/artifacts/linux-build-log
+emerge -j "$NPROC" --quiet --noreplace @halogenos-image
+emerge -j "$NPROC" --quiet --update --deep --noreplace @world
+emerge -j "$NPROC" --quiet --autounmask=y sys-kernel/vanilla-kernel
 emerge --depclean
 emerge --unmerge --nodeps portage perl-cleaner
 

build/include-host/etc/portage/package.accept_keywords/cmake

@@ -1 +0,0 @@
-=dev-build/cmake-3.31.7-r1::gentoo ~amd64

build/include-host/etc/portage/package.accept_keywords/ecryptfs-utils

@@ -1 +0,0 @@
-=sys-fs/ecryptfs-utils-111_p20170609-r1 ~amd64

build/include-host/etc/portage/package.accept_keywords/kernel

@@ -1,2 +0,0 @@
-=virtual/dist-kernel-6.15.4 ~amd64
-=sys-kernel/gentoo-kernel-6.15.4 ~amd64

build/include-host/etc/portage/package.use/kernel

@@ -1 +1 @@
-sys-kernel/installkernel dracut
+sys-kernel/vanilla-kernel amd64

build/include-host/etc/portage/patches/sys-kernel/gentoo-kernel/fix-musl.patch

@@ -1,18 +0,0 @@
---- a/tools/include/linux/kallsyms.h
-+++ b/tools/include/linux/kallsyms.h
-@@ -18,6 +18,7 @@ static inline const char *kallsyms_lookup(unsigned long addr,
- 	return NULL;
- }
- 
-+#ifdef HAVE_BACKTRACE_SUPPORT
- #include <execinfo.h>
- #include <stdlib.h>
- static inline void print_ip_sym(const char *loglvl, unsigned long ip)
-@@ -30,5 +31,8 @@ static inline void print_ip_sym(const char *loglvl, unsigned long ip)
- 
- 	free(name);
- }
-+#else
-+static inline void print_ip_sym(const char *loglvl, unsigned long ip) {}
-+#endif
---

build/include-host/etc/portage/patches/sys-libs/libselinux/fix-musl.patch

@@ -1,20 +0,0 @@
---- libselinux-3.6.old/src/selinux_restorecon.c	2023-12-13 10:46:22.000000000 -0400
-+++ libselinux-3.6/src/selinux_restorecon.c	2024-02-17 12:08:29.352291673 -0400
-@@ -436,7 +436,7 @@
- 	file_spec_t *prevfl, *fl;
- 	uint32_t h;
- 	int ret;
--	struct stat64 sb;
-+	struct stat sb;
- 
- 	__pthread_mutex_lock(&fl_mutex);
- 
-@@ -450,7 +450,7 @@
- 	for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
- 	     prevfl = fl, fl = fl->next) {
- 		if (ino == fl->ino) {
--			ret = lstat64(fl->file, &sb);
-+			ret = lstat(fl->file, &sb);
- 			if (ret < 0 || sb.st_ino != ino) {
- 				freecon(fl->con);
- 				free(fl->file);

build/include-host/etc/portage/sets/halogenos-host

@@ -1,4 +1,3 @@
-=dev-build/cmake-3.31.7-r1::gentoo
 app-portage/gentoolkit
 sys-apps/busybox
 sys-fs/btrfs-progs

build/include-host/etc/portage/sets/halogenos-image

@@ -7,7 +7,5 @@ sys-apps/bubblewrap
 sys-apps/flatpak
 sys-apps/fwupd
 sys-apps/shadow
-sys-fs/ecryptfs-utils
-sys-kernel/linux-firmware
 sys-libs/musl
 virtual/tmpfiles

build/include-host/etc/portage/use.disable

@@ -1 +1 @@
-initramfs
+

compose.yml

@@ -12,16 +12,16 @@ services:
       REQSIG: ${REQSIG}
       DISTURL: ${DISTURL}
     secrets:
-      - pgp_key_public
+      - signing_key_public
     volumes:
       - ./build:/build
   sign:
     image: docker.io/vladgh/gpg
-    command: --batch --import /run/secrets/signing_key_private --passphrase-file /run/secrets/pgp_key_password
+    command: --batch --import /run/secrets/signing_key_private --passphrase-file /run/secrets/signing_key_password
     secrets:
-     - pgp_key_password
-     - pgp_key_private
-     - pgp_key_public
+     - signing_key_password
+     - signing_key_private
+     - signing_key_public
     volumes:
      - ./build/images:/images
   serve:
@@ -30,20 +30,9 @@ services:
      - ./build/images:/images
 
 secrets:
-  # PGP keys: For signing image files, overlays, and other release artifacts.
-  pgp_key_password:
-    file: secrets/HalogenOS_pgp_key_password.txt
-  pgp_key_private:
-    file: secrets/HalogenOS_pgp_key_private.asc
-  pgp_key_public:
-    file: secrets/HalogenOS_pgp_key_public.asc
-  # X509 keys: For signing kernel modules. Unused for now.
-  # Unless keys are synced across builds, kernel modules cannot be used in
-  # overlays, because by default new keys are automatically generated on each
-  # build.
-  x509_key_password:
-    file: secrets/HalogenOS_x509_key_password.txt
-  x509_key_private:
-    file: secrets/HalogenOS_x509_key_private.pfx
-  x509_key_public:
-    file: secrets/HalogenOS_x509_key_public.cer
+  signing_key_password:
+    file: secrets/signing_key_password.txt
+  signing_key_private:
+    file: secrets/HalogenOS_private.asc
+  signing_key_public:
+    file: secrets/HalogenOS_public.asc